[ARVADOS] updated: 6f6f108d9d5bcb2e2a033bb16ac5dd78e108291f
git at public.curoverse.com
git at public.curoverse.com
Tue Feb 4 02:52:26 EST 2014
Summary of changes:
.../api/app/controllers/application_controller.rb | 14 +-------------
.../arvados/v1/collections_controller.rb | 14 ++++++++------
services/api/app/models/arvados_model.rb | 15 +++++++++++++++
services/api/test/fixtures/links.yml | 2 +-
4 files changed, 25 insertions(+), 20 deletions(-)
via 6f6f108d9d5bcb2e2a033bb16ac5dd78e108291f (commit)
from 3c98bafafb83a5ab76251472ed3f65aa291f3e9d (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
commit 6f6f108d9d5bcb2e2a033bb16ac5dd78e108291f
Author: Tom Clegg <tom at curoverse.com>
Date: Mon Feb 3 23:50:54 2014 -0800
Move can_read permission logic into ArvadosModel.readable_by scope,
and use that in collections.provenance instead of plain where().
refs #1977
refs #2037
diff --git a/services/api/app/controllers/application_controller.rb b/services/api/app/controllers/application_controller.rb
index dcb9c0c..05d1242 100644
--- a/services/api/app/controllers/application_controller.rb
+++ b/services/api/app/controllers/application_controller.rb
@@ -119,19 +119,7 @@ class ApplicationController < ActionController::Base
end
def find_objects_for_index
- uuid_list = [current_user.uuid, *current_user.groups_i_can(:read)]
- sanitized_uuid_list = uuid_list.
- collect { |uuid| model_class.sanitize(uuid) }.join(', ')
- or_references_me = ''
- if model_class == Link and current_user
- or_references_me = "OR (#{table_name}.link_class in (#{model_class.sanitize 'permission'}, #{model_class.sanitize 'resources'}) AND #{model_class.sanitize current_user.uuid} IN (#{table_name}.head_uuid, #{table_name}.tail_uuid))"
- end
- @objects ||= model_class.
- joins("LEFT JOIN links permissions ON permissions.head_uuid in (#{table_name}.owner_uuid, #{table_name}.uuid) AND permissions.tail_uuid in (#{sanitized_uuid_list}) AND permissions.link_class='permission'").
- where("?=? OR #{table_name}.owner_uuid in (?) OR #{table_name}.uuid=? OR permissions.head_uuid IS NOT NULL #{or_references_me}",
- true, current_user.is_admin,
- uuid_list,
- current_user.uuid)
+ @objects ||= model_class.readable_by(current_user)
if !@where.empty?
conditions = ['1=1']
@where.each do |attr,value|
diff --git a/services/api/app/controllers/arvados/v1/collections_controller.rb b/services/api/app/controllers/arvados/v1/collections_controller.rb
index 9198f58..65d5276 100644
--- a/services/api/app/controllers/arvados/v1/collections_controller.rb
+++ b/services/api/app/controllers/arvados/v1/collections_controller.rb
@@ -87,11 +87,11 @@ class Arvados::V1::CollectionsController < ApplicationController
return ""
end
- #puts "visiting #{uuid}"
+ logger.debug "visiting #{uuid}"
if m
# uuid is a collection
- Collection.where(uuid: uuid).each do |c|
+ Collection.readable_by(current_user).where(uuid: uuid).each do |c|
visited[uuid] = c.as_api_response
visited[uuid][:files] = []
c.files.each do |f|
@@ -99,11 +99,11 @@ class Arvados::V1::CollectionsController < ApplicationController
end
end
- Job.where(output: uuid).each do |job|
+ Job.readable_by(current_user).where(output: uuid).each do |job|
generate_provenance_edges(visited, job.uuid)
end
- Job.where(log: uuid).each do |job|
+ Job.readable_by(current_user).where(log: uuid).each do |job|
generate_provenance_edges(visited, job.uuid)
end
@@ -111,7 +111,7 @@ class Arvados::V1::CollectionsController < ApplicationController
# uuid is something else
rsc = ArvadosModel::resource_class_for_uuid uuid
if rsc == Job
- Job.where(uuid: uuid).each do |job|
+ Job.readable_by(current_user).where(uuid: uuid).each do |job|
visited[uuid] = job.as_api_response
script_param_edges(visited, job.script_parameters)
end
@@ -122,7 +122,9 @@ class Arvados::V1::CollectionsController < ApplicationController
end
end
- Link.where(head_uuid: uuid, link_class: "provenance").each do |link|
+ Link.readable_by(current_user).
+ where(head_uuid: uuid, link_class: "provenance").
+ each do |link|
visited[link.uuid] = link.as_api_response
generate_provenance_edges(visited, link.tail_uuid)
end
diff --git a/services/api/app/models/arvados_model.rb b/services/api/app/models/arvados_model.rb
index 69eae92..4f2aa72 100644
--- a/services/api/app/models/arvados_model.rb
+++ b/services/api/app/models/arvados_model.rb
@@ -58,6 +58,21 @@ class ArvadosModel < ActiveRecord::Base
end
end
+ def self.readable_by user
+ uuid_list = [user.uuid, *user.groups_i_can(:read)]
+ sanitized_uuid_list = uuid_list.
+ collect { |uuid| sanitize(uuid) }.join(', ')
+ or_references_me = ''
+ if self == Link and user
+ or_references_me = "OR (#{table_name}.link_class in (#{sanitize 'permission'}, #{sanitize 'resources'}) AND #{sanitize user.uuid} IN (#{table_name}.head_uuid, #{table_name}.tail_uuid))"
+ end
+ joins("LEFT JOIN links permissions ON permissions.head_uuid in (#{table_name}.owner_uuid, #{table_name}.uuid) AND permissions.tail_uuid in (#{sanitized_uuid_list}) AND permissions.link_class='permission'").
+ where("?=? OR #{table_name}.owner_uuid in (?) OR #{table_name}.uuid=? OR permissions.head_uuid IS NOT NULL #{or_references_me}",
+ true, user.is_admin,
+ uuid_list,
+ user.uuid)
+ end
+
protected
def ensure_permission_to_create
diff --git a/services/api/test/fixtures/links.yml b/services/api/test/fixtures/links.yml
index da5b144..de779b3 100644
--- a/services/api/test/fixtures/links.yml
+++ b/services/api/test/fixtures/links.yml
@@ -203,6 +203,6 @@ barbaz_job_readable_by_spectator:
link_class: permission
name: can_read
head_kind: arvados#job
- head_uuid: zzzzz-8i9sb-aceg2bnq7jt7kon
+ head_uuid: zzzzz-8i9sb-cjs4pklxxjykyuq
properties: {}
-----------------------------------------------------------------------
hooks/post-receive
--
More information about the arvados-commits
mailing list